What does the WM Morrison Supermarkets Plc data breach mean to employers?

24 October 2018

The issue in question is whether an employer is vicariously liable in damages to employees whose personal and confidential information has been misused by being disclosed on the web by the criminal act of another employee?

Yes, said the Court of Appeal in WM Morrison Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339 which held that there was sufficient connection between the position of the employee and his wrongful conduct to justify holding Morrisons liable.

There are over five thousand individual claimants, meaning damages are very likely to be extremely substantial.

This deliberate data breach was carried out by a rogue employee using his home computer in his own time and will be a cause of great concern to data controllers and data processors. At first instance, the judge held that Morrisons had implemented a range of mechanisms to prevent data misuse and complied with its own obligations under the DPA – yet it was still held variously liable for the employee’s torts of misuse of private information and breach of confidence.

So what are the implications?

This case indicates that even the most conscientious data controllers and processors may be exposed to enormous financial liabilities through the actions of their employees. The situation is unlikely to be any better for employers under the GDPR and Data Protection Act 2018 – so even if a firm avoids a hefty fine from the ICO for breach, that won’t mean they escape liability.

Employers will wish to revisit their recruitment due diligence procedures, their data protection policies and – crucially – their insurance provision to ensure that they are adequately protected.

To speak to our information law and employment law teams call 0207 410 2000.

Mark Thomas and John Goss are members of the information law and employment law teams at 5 Essex Chambers. They advise public bodies and a wide range of commercial organisations, including national retailers.


Mark Thomas

Call 2006

John Goss

Call 2015

Related areas



Join our mailing list to receive the latest news and event updates.



16 April 2024

Chambers is delighted to announce that Head of Chambers, Jason Beer KC is one of only…

Discover more

14 February 2022

The first hearings of the Post Office Horizon IT Inquiry commenced today.  Previously a non-statutory…

Discover more

19 December 2023

A message from Head of Chambers, Jason Beer KC, looking back at the past 12…

Discover more

Portfolio Builder

Select the practice areas that you would like to download or add to the portfolio

Download    Add to portfolio   
Title Type CV Email

Remove All


Click here to share this shortlist.
(It will expire after 30 days.)